12 htaccess hack everyone should know


It was my Quicksport WordPress theme that forced me to write this article,  while implementing w3total cache on  my multi-site demo website.

We all are very well aware of  how powerful .htaccess can be, but at the same time, it can be the most dangerous place to modify if you do not have any knowledge about how the .htaccess coding works;  a single coding mistake in .htaccess can cause internal server errors. ( Only a single enter key broke by website – and it took two days to restore that )

Before you began editing .htaccess file, you need to make sure your hosting company allowing you edit the file. Some hosting companies might not allow you to hack .htaccess file, because it can mess up their server system.  Don’t worry, most top cPanel hosting companies do allow.

If your hosting company permit you edit the .htacess file, then there are a lot of things you can do with it, such as hardening WordPress security, as well as speed performance.

In this article, I am going to share with you top 12 most powerful useful .htaccess tricks for WordPress.

Before you begin, you need to connect to FTP or cPanel’s file manager.

Next step, locate the .htaccess file; it should be in the root directory of your WordPress core files. If you do not see .htaccess file, it might be hidden, or you didn’t save the advance permalink.

- If you are using cPanel’s file manager, when you click on the file maanger icon, make sure show hidden file checked.

-Go to Setting -> Permalink, and click save, this will auto generate .htaccess file for you.

Now, backup the existing .htaccess file and save it to your desktop; just in case anything goes wrong, you can always reverse back.

Note: always do one trick at a time; after applying the trick, go back to WordPress site, and check if your site is working and functioning properly.

Top 12 Most Useful .htaccess Tricks for WordPress

1. Additional Security Login Layer for wp-admin Login

Most often, when you want to go to WordPress dashboard, you would type in youdomain.com/wp-admin, and there is login page, you can login.

To harden the login page, you can setup an additionally Security login layer, so when you go to youdomain.com/wp-admin, a pop up login Window appears, and once you have entered the login information correctly, you will be forwarded to the default WordPress login page.

It sounds troublesome to login, but it can improve your website’s security.

1)  create .htpasswd file by going to htaccesstools.com/htpasswd-generator/ and generate username and password

2) upload .htpasswd file to your WordPress wp-admin folder

3) add the following code to your .htaccess file

ErrorDocument 401 default

AuthType Basic
AuthName "Restricted Area"
AuthUserFile /home/public_html/wp-admin/.htpasswd
require valid-user

2. Limiting IPs Access to wp-admin

It is a very good idea to only allow certain IPs to access wp-admin. To do that, you need to find you your IP address; if you are not sure, you can simply type in “what is my IP” on Google, it will give you your IP address.

Copy and paste following codes to your .htaccess file.

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "WordPress Admin Access Control"
AuthType Basic
<LIMIT GET>
order deny,allow
deny from all
allow from xx.xx.xx.xxx
</LIMIT>

Replace xx.xx.xx.xxx with your IP address.
Note : if you are not using a dedicated ip address, do not apply this hack as most of the time your isp keep on changing your ip, thus may create a lots of trouble for you.

3.  Disable Directory Browsing

Most WordPress security plugins as this option, but if you are not fond of using plugins, you can add the following codes to the .htaccess file:

Options -Indexes

4. Disable PHP Execution in Certain Folders

It is pretty common practice that hackers would upload certain php files to the uploads and wp-include folder, so they can run the php files in order to compromise your site.

In order to avoid php execution, you can create a blank .htaccess file, upload it to wp-include and wp-content/upload folders, and then add the following codes to the file:

<Files *.php>
deny from all
</Files>

5. Protect wp-config File

Wp-config is one of the most important files, thus it is very important to protect it from unauthorized access. To do that, you can simply add the following code to the .htaccess file:

<files wp-config.php>
order allow,deny
deny from all
</files>

6. Ban IP Address

If you do not want certain IP to access your site, you can add the following code to your .htaccess file:

order allow,deny
deny from xx.xx.xx.xxx
allow from all

Replace xx.xx.xx.xxx with the IP address.
Note : You can also ban IP address from leaving comment on your website using your WordPress admin panel -> settings-> discussion.

7.  Protect .htaccess

Of course, .htaccess file needs to be protected as well. To do that, you can copy and paste the following code to itself:

<files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all
</files>

8. GZip Compression

If your site is slow, you can try to deflate most type of files in order to speed up the site. To do that, you add the following codes to the .htaccess file:

# BEGIN GZIP
<ifmodule mod_deflate.c>
AddOutputFilterByType DEFLATE text/text text/html text/plain text/xml text/css application/x-javascript application/javascript
</ifmodule>
# END GZIP

9.  Leveraging Browser Caching

If you have a lot of images, you can use this hack to speed up the site:

## EXPIRES CACHING ##
<IfModule mod_expires.c>
ExpiresActive On
ExpiresByType image/jpg "access 1 year"
ExpiresByType image/jpeg "access 1 year"
ExpiresByType image/gif "access 1 year"
ExpiresByType image/png "access 1 year"
ExpiresByType text/css "access 1 month"
ExpiresByType text/html "access 1 month"
ExpiresByType application/pdf "access 1 month"
ExpiresByType text/x-javascript "access 1 month"
ExpiresByType application/x-shockwave-flash "access 1 month"
ExpiresByType image/x-icon "access 1 year"
ExpiresDefault "access 1 month"
</IfModule>
## EXPIRES CACHING ##

10. Redirect www to non-www and Visa Versa

It is very common issue to most WordPress sites; site owners fails to notice that there are two version of your domain, www and non www, you need to stick with one in order to avoid potential of duplicate content.

If you want to use non-www, you need to redirect www to non-www by adding following codes (make sure to change your-domain.com to yours):

RewriteEngine On
RewriteCond %{HTTP_HOST} !^your-domain\.com$ [NC]
RewriteRule ^(.*)$ http://your-domain.com/$1 [R=301,L]

Likewise, if you want to use www, you need to redirect non-www to www by adding following codes:

RewriteEngine On
RewriteCond %{HTTP_HOST} !^www\.
RewriteRule ^(.*)$ http://www.%{HTTP_HOST}/$1 [R=301,L]

11. Prevent Direct Hotlinking

Image hotlinking is a process where someone else directly links to your hosted images without your permission or consent. By hotlinking images in this way the hotlinker will use your images to their profit at the cost of your bandwidth, because for each image viewed in this way it will increase your bandwidth usage and ultimately your hosting bills. So many a times this type of usage is also called bandwidth theft.

<IfModule mod_rewrite.c>
 RewriteEngine On
 RewriteCond %{HTTP_REFERER} !^http://([^.]+\.)?domain\.com/ [NC]
 RewriteCond %{HTTP_USER_AGENT} !(googlebot-image|msnbot|psbot|yahoo-mmcrawler) [NC]
 RewriteRule \.(bmp|gif|jpe?g|png)$ - [NC,F]
</IfModule>

Replace domain.com with your own domain name and extension. By implementing this code on your website, you will prevent almost all the direct image hotlinking with a forbidden response message. That means the hotlinked image on all other websites will just show a small red cross instead of the original image. We have intentionally excluded the major image search engines form the disallowed rule so that they can easily crawl your images and show them on image searches. If you want you can remove that line from the above code or add more image crawler user agent to it.

12. Send Replacement Image on Hotlinking

If you want to show the end users that this image has been hot linked from your website domain then you can send a hotlink replacement image in place of the original requested image. In this case, any hotlink request will be served with the replacement image that will be shown to the end users. For this to work properly, you will need to create a replacement image and you can add any custom message in it.

Code for .htaccess file:

<IfModule mod_rewrite.c>
 RewriteEngine On
 RewriteCond %{HTTP_REFERER} !^http://([^.]+\.)?domain\.com/ [NC]
 RewriteCond %{HTTP_USER_AGENT} !(googlebot-image|msnbot|psbot|yahoo-mmcrawler) [NC]
 RewriteCond %{REQUEST_URI} !^/hotlink\.png$
 RewriteRule \.(bmp|gif|jpe?g|png)$ /hotlink.png [L]
</IfModule>

In Summary

My dear friends, these are some of the basic and most used tricks on .htaccess file , I found most useful for any WordPress site. If you know any other useful trick or hack that you want to share with us. Hope these 12 htaccess tricks will be helpful to manage your WordPress blog/site.






Suggested Similar Articles

4 Brilliant Comments - Join Discussion Now!

  1. salman says:

    Dear Rakesh Sir Where i add below code in .htaccess file for image hotlink

    RewriteEngine On
    RewriteCond %{HTTP_REFERER} !^http://([^.]+\.)?domain\.com/ [NC]
    RewriteCond %{HTTP_USER_AGENT} !(googlebot-image|msnbot|psbot|yahoo-mmcrawler) [NC]
    RewriteCond %{REQUEST_URI} !^/hotlink\.png$
    RewriteRule \.(bmp|gif|jpe?g|png)$ /hotlink.png [L]

    Waiting for your reply Sir

    • rakesh says:

      Hi Salman, Add this code at the end of your .htaccess file. Even you can send another file in place of your hotlinked image. If you want that tricks then send me a separate email to me at rakesh@binarynote.com

  2. You have provided with very necessary content. Code for images and zip are the ones that I needed. I have also heard about the plugins for this. Which one do you suggest?

    • rakesh says:

      Hi twinkle, I hate plugin as they start increasing the page load time and how they are coded is totally depend upon the capabilities of the coder. A good plugin if coded badly then it would harm much more then the benefits it is trying to provide. Thus will recommend you to copy paste these lines in your .htaccess file.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>